Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...

THE BIG STORIES:

--EARLIER EQUIFAX HACK: The Equifax controversy continues to churn, more than a week after the credit reporting firm disclosed a breach that compromised personal information on as many as 143 million Americans. Credit reporting firm Equifax reportedly knew about a major hack of its computer systems in March, nearly five months before the hack disclosed to the public. A source told Bloomberg, which first reported the earlier hack, that same hackers are behind both breaches. But the company in a statement to The Hill denied the March breach was tied to the hack in which the personal and financial information of as many as 143 million U.S. consumers was exposed. The second hack, which has dominated headlines and crashed Equifax's stock since it was announced earlier this month, exposed Social Security numbers, birth dates and other personal information.

--MORE EQUIFAX FALLOUT: The company announced late Friday that two Equifax executives, its chief information officer and chief security officer, would resign from their positions effective immediately. Meanwhile, Bloomberg reported Monday that the Justice Department is investigating possible violations of insider trading laws by three top Equifax executives who sold stock in the company totaling nearly $2 million before the breach was publicly disclosed. The Equifax probe is reportedly being handled by the U.S. attorney's office in Atlanta, where the credit reporting firm is based. In a statement, a representative for the U.S. attorney's office for the Northern District of Georgia said that it is working with the FBI in its criminal investigation into the breach and the "resulting theft of personal information," but declined to comment further. The company has said the executives did not know about the breach at the time they made the sales. Nevertheless, the development has prompted scrutiny on Capitol Hill, with a bipartisan pair of lawmakers pressing the company for information on when top executives were notified of the breach.

--KASPERSKY CONTROVERSY: FIVE THINGS TO KNOW: Government scrutiny of Moscow-based cybersecurity firm Kaspersky Lab has grown after the Trump administration barred federal agencies and departments from using software produced by the company on Wednesday, citing potential risks to U.S. national security. The multinational firm, which boasts more than 400 million customers globally, has come under fire in Washington as lawmakers have grappled with Moscow's alleged interference in the 2016 presidential election. The U.S. government has never produced public evidence linking the company to the Kremlin. But the Department of Homeland Security (DHS) made waves this week by issuing a public directive ordering federal executive bodies to come up with "detailed plans" to discontinue their use of Kaspersky anti-virus software. In light of the latest development, here are five things you need to know about Kaspersky and the controversy around whether its anti-virus products can be trusted.

--SENATORS PUSH FOR 9/11-STYLE COMMISSION TO PROBE RUSSIAN HACKING: A bipartisan pair of senators is moving to create a 9/11-style commission to examine the cyberattacks that took place during the 2016 presidential election campaign. Sens. Kirsten GillibrandKirsten Elizabeth GillibrandDemocrats turn on Al FrankenReport: Franken will resign ThursdayMinnesota's largest newspaper calls on Franken to resignMORE (D-N.Y.) and Lindsey GrahamLindsey Olin GrahamGOP and Dems bitterly divided by immigrationWe are running out of time to protect DreamersUS trade deficit rises on record imports from ChinaMORE (R-S.C.) announced legislation on Friday to establish the National Commission on Cybersecurity of U.S. Election Systems to study the election-related cyberattacks, which the intelligence community has attributed to Russia, and make recommendations on how to guard against such activity going forward. The commission would be modeled after the 9/11 Commission tasked with investigating the Sept. 11, 2001, terrorist attacks against the United States. There have previously been calls from lawmakers, mostly Democrats, for a 9/11-style commission to examine Russia's interference campaign. The new legislation comes several months after Reps. Eric Swalwell (D-Calif.) and Elijah Cummings (D-Md.) introduced similar legislation in the House at the beginning of this year, which has accumulated support from all House Democrats and two Republicans. The commission would be required to report on its findings to federal, state and local governments. The panel would be comprised of experts selected by state election authorities and congressional leaders. "We need a public accounting of how [the Russians] were able to do it so effectively, and how we can protect our country when Russia or any other nation tries to attack us again," Gillibrand said in a statement, noting that "the clock is ticking before our next election."

--BREACH NOTIFICATION LEGISLATION BACK AFTER EQUIFAX: Rep. Jim Langevin (D-R.I.) reintroduced a bill establishing a national breach notification law on Monday, the latest piece of legislation positioned as a response to the Equifax data breach. "There is much still to learn about the Equifax breach and its ramifications, what is abundantly clear, however, is that consumers are still not sure whether they were affected and what information was stolen," Langevin said announcing the reintroduction of the Personal Data Notification and Protection Act, considered an Obama administration priority when it was introduced in 2015. "Equifax has done a terrible job communicating about the breach to date, and this legislation will ensure that any future such breach has a single standard and one federal regulator to help get actionable information to consumers quickly," Langevin continued. The laws designating how businesses must react after a data breach currently vary wildly from state to state. Langevin's bill will make all states abide by the same standard, giving companies 30 days to notify all victims of a breach and requiring companies to coordinate notifications with the Federal Trade Commission.

--DEFENSE BILL PASSES SENATE: The full Senate Monday evening passed the fiscal 2018 National Defense Authorization Act (NDAA) by an 89-8 vote after about a week of debate on the bill. The debate was hampered by delays over four of the more controversial amendments to the bill. The final defense policy bill, which passed the chamber Monday evening, includes a number of cyber-related provisions, including language that would bar the federal government from using software produced by Kaspersky Lab--essentially codifying into law the ban announced by Homeland Security last week.

President Trump has decided to nominate Walter Copan to lead the federal body responsible for producing cybersecurity guidance for the federal government and private sector entities. Trump late last week nominated Copan to serve as undersecretary of commerce for standards and technology, which would make him the leader of the non-regulatory National Institute of Standards and Technology (NIST). Copan is currently president and CEO of IP Engineering Group Corp. in Colorado, a company that helps clients "achieve the full technical and economic potential of their intellectual property." Copan will replace Kent Rochford, currently the acting undersecretary, if confirmed to the top Commerce post.

Copan's nomination generated praise from the top Republican on the House Science Committee. "I am pleased that President Trump has nominated Walter Copan to lead NIST," said Rep. Lamar Smith (R-Texas). "Because our federal systems are prime targets for cyber-attacks, it is crucial that we maintain and heighten cybersecurity. NIST has the expertise necessary to help protect our information systems and is the front line of defense against cyber-attacks on the federal government and private sector."

PRIVACY SHIELD: U.S. and European Union officials are meeting this week to conduct the first annual review of the data transfer agreement known as the EU-U.S. Privacy Shield, a framework that helps companies transfer personal data across the Atlantic while complying with data protection requirements.

The agreement was designed by the U.S. Department of Commerce and the European Commission and approved last July, replacing the Safe Harbor agreement that was struck down by the European Court of Justice.

In anticipation of the review, the White House put out a statement late last week expressing confidence that the review "will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic." The review is bringing together U.S. and EU officials, in addition to industry representatives.

While officials have billed the pact as one that bolsters data privacy protections for Europeans, it has become subject to scrutiny. The data transfer agreement is currently being challenged in European court on the grounds that it does not contain adequate privacy protections.

Roughly 2,400 U.S. companies have adopted the framework in order to transfer data out of the European Union to the United States.

"The number one thing that Commissioner Jourová and the EU delegation [are] concerned with is certainly the U.S. government obligations under the Privacy Shield framework and the enforcement of the company commitments," said Kendall Burman, a cybersecurity and data privacy attorney at Mayer Brown and former deputy general counsel for the Department of Commerce.

BSA The Software Alliance, a tech industry group, released a statement last week encouraging EU and U.S. officials to "hold fruitful and constructive discussions to further solidify the success" of the framework, casting the pact as one that balances privacy protections with the need for swift data flows.

The review is likely to wrap up in the next few days, after which Jourová is scheduled to travel to Silicon Valley to meet with tech company representatives, including Facebook's Sheryl Sandberg and executives at Apple and Google.

Following the review, the European Commission will produce a report spelling out its findings, expected to be completed in October, according to Reuters.

A BONUS CYBER TIDBIT:

MOZILLA REIGNITES SECURITY DEBATE: Mozilla, the maker of the Firefox browser, is taking another stab at promoting reform of the Vulnerabilities Equities Process (VEP), a federal process used to grant permission to keep certain hacking techniques secret.

Intelligence agencies that research ways to break into computers are supposed to work with the presumption that they will notify computer equipment makers of any security flaw and allow them to patch it. When an agency feels it absolutely must keep a flaw secret to use for espionage, it is supposed to apply to do so in front of a third party board -- a system known as the VEP.

It is not without drawbacks. Every vulnerability the government keeps secret is a security flaw hackers can discover and use undetected. The NSA, for example, reportedly knew about the vulnerabilities used in "NotPetya" and "WannaCry" for years before both malware strains were used in massive malware outbreaks this year.

Mozilla wants to codify the VEP to include more input from consumer protection agencies, with more independence from the NSA. It is launching a six-hour workshop on the issue, "Cyber(in)security," that will be held on Tuesday, October 24th.

"User security is a priority and we believe it is necessary to have a conversation about the reforms needed to strengthen and improve the Vulnerabilities Equities Process to ensure that it is properly transparent and doesn't compromise our national security or our fellow citizens' privacy," said Denelle Dixon, Mozilla's chief business and legal officer.